Ubuntu
apparmor package

apache2 abstraction incomplete

Bug #1658238 reported by Kees Cook
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Status tracked in Master
2.10
Fix Released
Undecided
Unassigned
AppArmor 2.10.3
2.11
Fix Released
Undecided
Unassigned
AppArmor 2.11.1
2.9
Fix Released
Undecided
Unassigned
AppArmor 2.9.5
Master
Fix Released
Undecided
Unassigned
AppArmor 2.11.1
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

Apache2 needs updates for proper signal handling, optional saslauth, and OCSP stapling...

--- apache2-common 2014-06-24 11:06:06.000000000 -0700
+++ /etc/apparmor.d/abstractions/apache2-common 2015-05-21 07:51:49.000000000 -0700
@@ -8,6 +8,8 @@
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default
   signal (receive) peer=/usr/sbin/apache2,
+ # Allow other hats to signal by default
+ signal peer=/usr/sbin/apache2//*,
   # Allow us to signal ourselves
   signal peer=@{profile_name},

@@ -25,3 +27,12 @@

   /dev/urandom r,

+ # sasl-auth
+ /run/saslauthd/mux rw,
+
+ # OCSP stapling
+ /var/log/apache2/stapling-cache rw,

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Committed revision 3625.
Committed revision 3381.
Committed revision 3046.

Thanks

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.